Bug 107105

Summary: glyph.c ignores allocation failures with possible heap corruption
Product: XCB Reporter: Sam Varshavchik <mrsam>
Component: UtilsAssignee: xcb mailing list dummy <xcb>
Status: RESOLVED MOVED QA Contact: xcb mailing list dummy <xcb>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Sam Varshavchik 2018-07-03 21:15:56 UTC 
In renderutil/glyph.c, _grow_stream() checks if realloc() fails, but doesn't really do anything about that, and simply returns.

All existing callers of _grow_stream() assume that it succeeds, and proceed to blindly memcpy() more stuff to the stream.

There's a remote chance of this being exploitable. An attacker would have to cause an application that uses xcb to:

- run out of memory

- proceed to create a text stream consisting of glyph data that overwrites and corrupts the existing heap space, in some controlled way.

A brief survey of the existing calls to _grow_stream() suggests that plugging this hole is trivial -- have _grow_stream() return an error indication, and all existing calls to _grow_stream() in glyph.c can simply return, in that case.
Comment 1 GitLab Migration User 2019-02-16 19:44:31 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/lib/libxcb-cursor/issues/7.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.